As supply chains become more digitised and interconnected, technology teams face greater pressure to secure sprawling ecosystems of tools, platforms, and third-party integrations. Achilles CTO Tim Bridgland shares his perspective on how organisations can strengthen resilience, what recent attack patterns teach us, and why software supply-chain security now sits at the centre of procurement confidence.
Q: Technology teams are under growing pressure to secure increasingly complex systems. What is driving that complexity?
Tim Bridgland:
The technology environment for any organisation is now a network of networks. Core systems are no longer isolated. They talk to external tools, workflow engines, data ingestion platforms, and cloud services. Integrations make operations faster and more connected, but they also expand the boundary that security teams must actively protect.
Traditional approaches assumed that an organisation could secure what it owned. Today, teams must secure what they consume. That includes APIs, vendor platforms, authentication layers, and any external service that sits inside critical business processes. The attack surface grows with every integration, and the responsibility grows with it.
Q: What does this shift mean for architecture teams specifically?
Tim:
Architecture teams have to design for permeability. Systems are no longer closed, so the architecture must account for external trust relationships, dependency chains, and platform-level risks.
Three changes stand out:
- More integrations with external tools mean more potential entry points.
- Security must extend far beyond internal systems, because attackers increasingly target the weakest link in the chain, not necessarily the organisation itself.
- Supply-chain and platform dependencies must be treated as part of the architecture, not an afterthought.
The implication is clear. A secure architecture is no longer just about strong internal controls. It’s about continuous visibility into everything connected to the business, including suppliers, platforms, and the technology that underpins them.
Q: One of the examples we have heard you use is the Shai Hulud worm. Why is this such a powerful illustration?
Tim:
Shai Hulud is a good example because it represents the modern attack pattern perfectly. It doesn’t break through the front door. Instead, it compromises developer accounts and harvests tokens, cloud metadata, environment variables, and other embedded credentials.
The attack is delivered through trusted mechanisms. That’s the point. It leverages the organisation’s own tools and supply-chain connections against it. Once inside, it blends multiple attack vectors, making traditional perimeter-based defences largely irrelevant.
This example underlines why supply-chain security matters. Attackers go after the seams between organisations and the tools they rely on. If those seams aren’t monitored, validated, and verified, they become invisible vulnerabilities.
Q: How should organisations respond to attacks that use trusted mechanisms as their entry point?
Tim:
Organisations need to move from “trust by default” to “trust through verification”. That means:
- Treating identity, tokens, and environment variables as high-risk assets
- Implementing continuous credential hygiene, not one-off clean-ups
- Monitoring third-party tooling the same way internal applications are monitored
- Ensuring development environments are as hardened as production environments
- Reducing persistent access wherever possible
Above all, the mindset must change. Supply-chain interfaces are not secondary risks. They are primary risks because attackers rely on them to bypass defences.
Q: How does Achilles help organisations address these emerging risks?
Tim:
Achilles provides visibility into the suppliers, platforms, and dependencies that form the backbone of a company’s operating environment. The aim is to ensure organisations understand who they’re connected to, how those suppliers manage their security, and where potential vulnerabilities sit.
As threats become more sophisticated, procurement teams need confidence that supplier information is current, verified, and risk-assessed. Technology teams need assurance that their partners manage credentials, authentication, and platform security effectively. Achilles brings those two worlds together.
In a climate where attackers move through trusted channels, that visibility isn’t optional. It’s foundational.
Q: What is the one message you want technology and procurement leaders to take from these emerging attack patterns?
Tim:
Security can no longer stop at the edge of the organisation. Every platform you interact with, every supplier you onboard, and every integration you build becomes part of your security boundary. Leaders need to widen their field of view, because attackers already have.
